alt-grr
commented
7 years ago invalid https cert warnings
What kind of warnings? Cert expired? Cert untrusted?
Closed jcrowgey closed 6 years ago
alt-grr
commented
7 years ago invalid https cert warnings
What kind of warnings? Cert expired? Cert untrusted?
jcrowgey
commented
7 years ago The specific message is an alert which says:
Warning Connection to this site is not secure
So I don't know if I'm having trouble verifing signatures or what. It's doubly annoying cos on a site which does ajax stuff to load the page, I get one of these warnings for every ajax reply. So I have to dismiss that alert tens of times for some sites. Let me know if you have ideas for debugging this.
One thing which may be relevant: I have AFWall running which blocks Internet access to several programs which I don't think should be using the Internet. Obviously Lightning is not blocked, but if Lightning uses some external app to do cert validation then maybe the firewall is related to the issue.
Thanks in advance for any tips!
alt-grr
commented
7 years ago This message is showed on generic error: https://developer.android.com/reference/android/net/http/SslError.html#SSL_INVALID
I have AFWall running which blocks Internet access to several programs which I don't think should be using the Internet. Obviously Lightning is not blocked, but if Lightning uses some external app to do cert validation then maybe the firewall is related to the issue.
Sooo, what not try to disable AFWall and see if the problem persist? Lightning is using Chrome WebView, maybe it's checking some online lists of invalidated certficates or something.
jcrowgey
commented
7 years ago @kuc
The firewall logs don't indicate any blocking of any requests remotely related to lightning or webview (I see things like "theme viewer", "white balance", "google pdf viewer"). In any case, the test didn't hurt, so I carried it out. With firewall disabled I still get the invalid certs warning for amazon.com (inter alia).
Also, there's the wrinkle that Google Chrome browser is working fine on this system (no invalid cert warnings).
Let me know if there are other ideas I can try.
patricktokeeffe
commented
7 years ago This has been driving me totally fscking batty for over a week now. Anywhere from 1 to a dozen error notices appear on each page load, from the majority of sites I visit using Lightning (4.4.1 from F-droid repos). I don't have root or use any kind of network or app manager (like AFwall). And I see the exact same symptoms on three different devices.
It bothers me the error doesn't even identify the site possessing the "bad" cert and that I can't view the certificate itself.
razorshiv
commented
7 years ago I have been monitoring this thread and I might get smacked for this but I could not resist.
My setup includes a Nexus 6P with CyanogenMod 13.1 which is Android 6.0.1. Security patch level December 5th 2016. I too have the latest Lightning 4.4.1. I am rooted and do not use a firewall.
Using the example website above, www.beeradvocate.com produces no certificate error whatsoever and renders as secured. Nor have I encountered this error on any https websites I visit. And I use Lightning a ton as my daily and only installed browser.
I do not discount that there is an issue somewhere but I would not be assuming it is the browser unless the problem can be reproduced on a clean wiped phone and OS. I suspect that there is some other issue with the certificate chaining going on here. Such as a root or intermediate certificate missing, revoked or expired.
It is not entirely impossible that this problem can be duplicated unknowingly by the user across three devices.. I have done this myself at times.
My suggestion is to create test cases. Start with a clean wipe and Lightning as the only application installed. Begin to build your setup and testing after each addition of an application and configuration. The problem will eventually jump out at you at some point.
My .2 cents.
Regards
patricktokeeffe
commented
7 years ago As of yesterday I'm down to one working device unfortunately. I can't wipe my working phone but I do have a new Moto G3 that I can test on from a factory default state.
On January 27, 2017 9:14:56 AM PST, razorshiv notifications@github.com wrote:
I have been monitoring this thread and I might get smacked for this but I could not resist.
My setup includes a Nexus 6P with CyanogenMod 13.1 which is Android 6.0.1. Security patch level December 5th 2016. I too have the latest Lightning 4.4.1. I am rooted and do not use a firewall.
Using the example website above, www.beeradvocate.com produces no certificate error whatsoever and renders as secured. Nor have I encountered this error on any https websites I visit. And I use Lightning a ton as my daily and only installed browser.
I do not discount that there is an issue somewhere but I would not be assuming it is the browser unless the problem can be reproduced on a clean wiped phone and OS. I suspect that there is some other issue with the certificate chaining going on here. Such as a root or intermediate certificate missing, revoked or expired.
It is not entirely impossible that this problem can be duplicated unknowingly by the user across three devices.. I have done this myself at times.
My suggestion is to create test cases. Start with a clean wipe and Lightning as the only application installed. Begin to build your setup and testing after each addition of an application and configuration. The problem will eventually jump out at you at some point.
My .2 cents.
Regards
-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/anthonycr/Lightning-Browser/issues/528#issuecomment-275719685
jcrowgey
commented
7 years ago @patricktokeeffe Really glad to hear that I'm not alone with this issue, gives me hope that we'll figure it out.
@razorshiv I appreciate your comment very much. But doesn't the fact that Google Chrome is working fine on the same device suggest that something here is related to Lightning. That is, if the system had some expired cert, wouldn't Chrome also see that as expired? Like patricktokeeffe, I can't wipe this device since it's my working phone. Looking forward to any further info about the problem, any logs I can examine, etc.
razorshiv
commented
7 years ago @jcrowgey To start, let us know what your environment consists of. What operating system, version, patch level and carrier. Is this a custom ROM or stock. Device make and model. Chrome version you have installed (some versions have WebView baked in them).
In response to your comment, I could also say that Lightning is working fine on my setup so the problem must be your setup. Really does not prove or disprove anything. There is obviously a difference in setup's. Comparing versions of components may lead to a clue.
Regards
jcrowgey
commented
7 years ago @razorshiv
Looks like this is Chrome 50.0.2661.89
Lightning is 4.4.1, the fdroid build.
Cheers!
Your point about Chrome possibly having its own WebView baked in seems quite relevant!
razorshiv
commented
7 years ago I made the comment about chrome baking in WebWiew because I recall reading that Android 7 started using Androids WebView instead of its own. Since you are on Android 6, you are definitely using Chrome WebView. Question now, is Lightning using Chrome's WebView but not compatible.
Experiment: Maybe uninstall (not freeze) Chrome, reboot and try those sites with Lightning.
Regards
jcrowgey
commented
7 years ago Your comment seems to have led to a solution for me!
I looked into it and found that there was an updated Android Webview available.
54.0.2840.85 -> 55.0.2883.91
After updating webview, I'm no longer having this issue. Hopefully this will turn out to solve the issue for @patricktokeeffe too.
alt-grr
commented
7 years ago @jcrowgey No issues on my phone too with WebView version 55.0.2883.91 on www.beeradvocate.com
Krawei
commented
7 years ago Hello everybody,
first of all I'm glad that I'm not alone with this annoying cert issue.
I have updated WebView to the latest version and I hope this will fix the issue.
Nevertheless I would love to see more details in the cert warnings and the whole chain of trust, too.
Plus: It would be great to add an thread in the FAQs about this cert problem to help other users with the same issue.
Kind Regarda, Krawei
patricktokeeffe
commented
7 years ago Sorry it took so long to circle back around. I'm also going to fault WebView.. this issue immediately disappeared after updating (now at 56.0.2924.87). I don't (didn't) use the Play Store -- that was the difference in my setup.
ypetruk
commented
7 years ago The matter of fact is that the problem is not with the browser, their solution works. The certificate request only appears if you enable Adguard. So it looks like the problem is on the Adguard side. Ticket ID:1601815
Revertron
commented
7 years ago The developer of the browser must implement this: https://developer.android.com/training/articles/security-config.html
joelobrecht
commented
7 years ago I had the same problem on My galaxy S4 under stock Android 5.01, latest security patch Nov 2016.
After uninstalling (resetting to factory more likely) Android System Webwiew, I don't have any more invalid certificate alerts.
ameshkov
commented
7 years ago Here is an example of the network security configuration Chrome uses: https://chromium.googlesource.com/chromium/src.git/+/lkcr/chrome/android/java/res/xml/network_security_config.xml
Lightning browser seems to not have it, and that's why it does not trust user-added certificates.
diabl0w
commented
3 years ago sorry to resurrect this, but I am having the same problem. I have AFWall installed and using Bromite Webview as my webview implementation. Does anyone have any guidance? I really don't want to disable AFWall. What Android process is responsible for updating certs?
Edit: just for more info. I am not blocking webview or lightning with afwall, so it must be something else that is responsible for getting the certs. the exact error is the same as the image posted in the 5th reply (certificate is invalid)
puppykickr
commented
3 years ago @diabl0w First, try updating Android System Webview, then using it instead of what you are using. See if the problem persists. Try the same thing with your previous webview.
If all else fails, try another firewall.
NetGuard is great, and NoRoot Firewall works well too.
diabl0w
commented
3 years ago @diabl0w First, try updating Android System Webview, then using it instead of what you are using. See if the problem persists. Try the same thing with your previous webview.
If all else fails, try another firewall.
NetGuard is great, and NoRoot Firewall works well too.
thanks! sorry I forgot to update my comment, but oddly enough clearing the cache/data of lightning webbrowser fixed the issue. I wish I tried that earlier as I've been dealing with this issue for about 6 months now. I wonder if a certain setting was causing this? either way, I'll see if the issue comes back and then try your suggestions
puppykickr
commented
3 years ago I always have Lightning set to clear the cache whenever the app closes.
Grant Ryan Swan (puppykicker)
On Apr 17, 2021 23:10, "diabl0w" @.***> wrote:
@diabl0w https://github.com/diabl0w First, try updating Android System Webview, then using it instead of what you are using. See if the problem persists. Try the same thing with your previous webview.
If all else fails, try another firewall.
NetGuard is great, and NoRoot Firewall works well too.
thanks! sorry I forgot to update my comment, but oddly enough clearing the cache/data of lightning webbrowser fixed the issue. I wish I tried that earlier as I've been dealing with this issue for about 6 months now. I wonder if a certain setting was causing this? either way, I'll see if the issue comes back and then try your suggestions
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/anthonycr/Lightning-Browser/issues/528#issuecomment-821928795, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKWIG73R6ZJNESF4UKIRHN3TJJLRXANCNFSM4C5ZJUCA .
I'm getting lots of invalid https cert warnings from lightning (but not from other browsers on my system like Google Chrome). this is from major sites like amazon.com and duckduckgo which I'm pretty sure have proper https in place. Any ideas about what could be going wrong? If someone was doing mitm on me, presumably that would happen on any browser on my system. My guess is that something has gone awry with IPC or whatever subroutine does signature validation. Let me know what other info would be helpful for debugging this.
Thanks!